# File borrowed from openresty config.

# Environment variable need to be specified here (and below).
env PL_OAUTH_PROVIDER;
env PL_AUTH_URI;
env PL_AUTH_CLIENT_ID;
env PL_AUTH_EMAIL_PASSWORD_CONN;
env PL_OIDC_HOST;
env PL_OIDC_METADATA_URL;
env PL_OIDC_CLIENT_ID;
env PL_OIDC_ADDITIONAL_SCOPES;
env PL_OIDC_SOCIAL_CONFIG_LOGIN;
env PL_OIDC_SOCIAL_CONFIG_SIGNUP;
env PL_LD_CLIENT_ID;
env PL_DOMAIN_NAME;
env PL_API_SERVICE_HTTP;
env PL_SEGMENT_UI_WRITE_KEY;
env PL_SEGMENT_CLI_WRITE_KEY;
env PL_HYDRA_SERVICE;
env PL_KRATOS_SERVICE;
env SCRIPT_BUNDLE_URLS;
env SCRIPT_BUNDE_DEV;
env ANALYTICS_ENABLED;
env ANNOUNCEMENT_ENABLED;
env ANNOUNCE_WIDGET_URL;
env CONTACT_ENABLED;
env PASSTHROUGH_PROXY_PORT;

worker_processes  auto;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile      on;
    server_tokens off;

    log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request upstream_response_time $upstream_response_time msec $msec request_time $request_time';

    resolver kube-dns.kube-system.svc.cluster.local valid=5s;

    # Tune nginx keepalives to work with the GCP HTTP(S) Load Balancer:
    keepalive_timeout 650;
    keepalive_requests 10000;

    # Increase default server names length to 128:
    server_names_hash_bucket_size 128;

    proxy_cache_path   /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=100m inactive=1d;
    proxy_temp_path    /var/cache/nginx/tmp;

    ssl_buffer_size 4k;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1h;
    ssl_protocols TLSv1.2 TLSv1.3;

    upstream httpapisvc {
         # The nginx parser does not seem to understand that the $api_service
         # variable contains the port. Just referring to it as api-service since this
         # works in a service agnosistic way.
         server api-service:51200;
         keepalive 128;
    }

    upstream grpcapisvc {
         # The nginx parser does not seem to understand that the $api_service
         # variable contains the port. Just referring to it as api-service since this
         # works in a service agnosistic way.
         server api-service:51200;
         keepalive 128;
    }

    # This is the default fallback server if none of the subdomains match.
    server {
        listen [::]:56000 default_server;
        listen 56000;
        server_name _;

        ssl_certificate /certs/tls.crt;
        ssl_certificate_key /certs/tls.key;

        include /usr/local/openresty/nginx/conf/pixie_health_check.conf;

        if ($http_x_forwarded_proto = "http") {
            return 404;
        }

        location / {
            return 404;
        }
    }

    # This is the server that we use for all the locations that don't have a subdomain.
    # This just serves the minimal pages necessary to authenticate and get into a subdomain specfic site.
    server {
        listen [::]:56000 ssl http2;
        listen 56000 ssl http2;
        server_name @PL_DOMAIN_NAME@ *.cluster.local;

        include /usr/local/openresty/nginx/conf/pixie_compression.conf;
        include /usr/local/openresty/nginx/conf/pixie_vars.conf;
        include /usr/local/openresty/nginx/conf/pixie_server_defaults.conf;
        include /usr/local/openresty/nginx/conf/pixie_api.conf;

        if ($http_x_forwarded_proto = "http") {
            return 307 https://$host$request_uri;
        }

        location /install.sh {
          root /installer;
          try_files "/install.sh" =404;
        }

        location / {
          return 307 https://work.$domain_name$request_uri;
        }
    }

    # This is the server for the work subdomain.
    server {
        listen [::]:56000 ssl http2;
        listen 56000 ssl http2;
        server_name work.@PL_DOMAIN_NAME@;

        error_page 404 = @error404;
        include /usr/local/openresty/nginx/conf/pixie_compression.conf;
        include /usr/local/openresty/nginx/conf/pixie_vars.conf;
        include /usr/local/openresty/nginx/conf/pixie_server_defaults.conf;
        include /usr/local/openresty/nginx/conf/pixie_health_check.conf;
        include /usr/local/openresty/nginx/conf/pixie_api.conf;
        include /usr/local/openresty/nginx/conf/headers_common.conf;
        include /usr/local/openresty/nginx/conf/private/*.conf;

        # Disable caching by default.
        add_header Cache-Control "no-store";

        if ($http_x_forwarded_proto = "http") {
            return 307 https://$host$request_uri;
        }

        location /oauth/hydra {
            if ($hydra_service = "") {
                return 404;
            }
            # Using a variable in the proxy_pass argument and a trailing slash on the location
            # doesn't forward the subpath to the proxy destination. Instead we need to manually
            # manage this change by rewriting the path.
            rewrite ^/oauth/hydra/(.*) /$1  break;
            # Note - storing the protocol in the env variable causes nginx to reject the proxy_pass dest.
            proxy_pass https://$hydra_service$uri$is_args$args;
        }

        # Disable self-service registration in Kratos is the only way to prevent registration to orgs
        # that a user does not have permission to join. Org Admins should instead invite their users.
        # In the future Kratos will support disabling registration within kratos_config.yaml.
        # We want to replace this rule when that becomes available.
        # Issue tracking the feature: https://github.com/ory/kratos/issues/882
        location /oauth/kratos/self-service/registration {
            error_page 404 = @error404;
            return 404;
        }

        location /oauth/kratos {
            error_page 404 = @error404;
            if ($kratos_service = "") {
                return 404;
            }
            # Using a variable in the proxy_pass argument and a trailing slash on the location
            # doesn't forward the subpath to the proxy destination. Instead we need to manually
            # manage this change by rewriting the path.
            rewrite ^/oauth/kratos/(.*) /$1  break;
            # Note - storing the protocol in the env variable causes nginx to reject the proxy_pass dest.
            proxy_pass https://$kratos_service$uri$is_args$args;
        }

        location /install.sh {
          root /installer;
          try_files "/install.sh" =404;
        }

        location / {
            gzip_static off;
            root   /assets;
            try_files $uri "/index.html";
        }

        # Cache all contents hosted under /static. This is actually the same as the contents hosted under '/'
        # but nginx knows to cache these and webpack puts all the hashed assets in here.
        location ~ ^/static(/.*)$ {
            gzip_static off;
            root   /assets;
            include /usr/local/openresty/nginx/conf/pixie_cache.conf;
            include /usr/local/openresty/nginx/conf/pixie_filter.conf;
            try_files $1 "/index.html";
        }

        location /auth-complete {
            root   /assets;
            include /usr/local/openresty/nginx/conf/pixie_filter.conf;
            try_files $uri "/index.html";
        }

        location ~ ^/docs(?:/(.*))?$ {
            return 307 https://docs.pixielabs.ai/$1;
        }

        location @error404 {
          return 307 https://$domain_name?not_found=$uri;
        }
    }

    # This is the proxy server for segment.
    server {
        listen [::]:56000 ssl http2;
        listen 56000 ssl http2;
        server_name segment.@PL_DOMAIN_NAME@;

        include /usr/local/openresty/nginx/conf/pixie_compression.conf;
        include /usr/local/openresty/nginx/conf/pixie_vars.conf;

        set $segment_cdn "cdn.segment.com";

        location /v1/projects {
            proxy_pass https://$segment_cdn$uri$is_args$args;
            proxy_cache my_cache;
            proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
        }

        location /analytics.js/v1 {
            proxy_pass https://$segment_cdn$uri$is_args$args;
            proxy_cache my_cache;
            proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
        }

        location /analytics-next {
            proxy_pass https://$segment_cdn$uri$is_args$args;
            proxy_cache my_cache;
            proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
        }

        location /next-integrations {
            proxy_pass https://$segment_cdn$uri$is_args$args;
            proxy_cache my_cache;
            proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
        }

        location /cli-write-key {
            return 200 $segment_cli_write_key;
            default_type text/plain;
        }

        location / {
            set $segment_api "api.segment.io";
            proxy_pass https://$segment_api$uri$is_args$args;
            proxy_cache my_cache;
            proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
        }
    }

    # This is the redirect to the netlify hosted site for docs.
    server {
        listen [::]:56000 ssl http2;
        listen 56000 ssl http2;
        server_name docs.@PL_DOMAIN_NAME@;

        location / {
          return 307 https://docs.pixielabs.ai$request_uri;
        }
    }
}
